The Dutch Data Protection Authority (DPA) has imposed a €290 million fine on Uber (NYSE:UBER) for violating data protection regulations. This marks the third time the DPA has penalized Uber, with earlier fines including €600,000 in 2018 and €10 million in 2023. The current fine follows an investigation into Uber’s handling of European taxi drivers’ personal data, which was transferred to the United States without adequate safeguards. The misuse of personal data, including account details and location data, was cited as a serious violation of the General Data Protection Regulation (GDPR).
Uber has been in the spotlight for data protection issues before. In 2016, the company faced scrutiny for a significant data breach affecting 57 million riders and drivers worldwide, resulting in fines from multiple countries. More recently, Uber was fined $148 million in the U.S. for covering up the same data breach. These instances highlight a pattern of data protection lapses at Uber, reflecting systemic issues within the company’s data handling practices. The latest fine underscores the ongoing challenges Uber faces in complying with international data protection standards.
The reason behind the fine
The Dutch DPA found that Uber transferred European drivers’ personal data to the U.S. over a period exceeding two years without using appropriate transfer tools. This resulted in insufficient protection, especially after the EU-US Privacy Shield was invalidated in 2020. Although Standard Contractual Clauses could be used for data transfers outside the EU, Uber stopped using these in August 2021, leading to a lack of adequate protection.
The personal data in question included sensitive information such as account details, location data, payment details, and even criminal and medical records. This led the Dutch DPA to consider it a serious GDPR violation. Despite this, Uber has since ended the breach and now uses the successor to the Privacy Shield.
Complaints from over 170 French drivers
The Dutch DPA’s investigation was initiated following complaints from over 170 French drivers, submitted through the French human rights group Ligue des droits de l’Homme (LDH). Since Uber’s European headquarters is based in the Netherlands, the Dutch DPA took the lead in the investigation, coordinating with other European DPAs. This cooperation underscores the interconnected nature of GDPR enforcement across EU member states.
Fines for GDPR violations can reach up to 4% of a company’s global annual turnover. Given Uber’s reported worldwide turnover of approximately €34.5 billion in 2023, the €290 million fine represents a significant penalty. Uber has already stated its intention to object to the fine, continuing its trend of contesting regulatory actions.
Analyzing the broader context of Uber’s data protection issues reveals persistent challenges the company faces in aligning with global data privacy standards. This latest fine by the Dutch DPA serves as a reminder of the stringent requirements of the GDPR and the importance of robust data protection measures. Businesses operating within the EU must prioritize the protection of personal data to avoid similar penalties. Enhanced scrutiny from data protection authorities across Europe indicates a tightening regulatory environment, compelling companies to reassess their data management practices.
